Security and Compliance
ISO 9001

ISO 9001

ISO 9001 is a standard for quality management systems (QMS). In this document, we'll detail how ZapEHR's processes map and conform to the ISO 9001 standard.

Mapping to ISO 9001 Standard

NumberISO ClauseRequirementIn Practice
14.1 General requirementsEstablish, document, implement, and maintain a QMS and continually improve its effectiveness.Sprint retrospective
24.2 Documentation requirementsDocumentation is created and maintainedProduct backlog creation, issue creation, sprint planning and retrospectives
35.1 Management commitmentProvide evidence of its commitment to the development and implementation of the QMS and continually improving its effectiveness. This includes establishing the quality policy and quality objectives, conducting management reviews, and ensuring resource availability.n/a
45.2 Customer focusEnsure that customer requirements are met with the aim of enhancing customer satisfactionProduct backlog creation and grooming
55.3 Quality policyEstablish, implement, and maintain a quality policy that is appropriate to the organization, provides a framework for setting quality objectives, and is communicated and understood within the organization. The policy must also be reviewed for continuing suitability.n/a
65.4 PlanningEnsure quality objectives are established at relevant functions and levels, and that the planning of the QMS is carried out to meet these objectives.n/a
75.5 Responsibility, authority, and communicationResponsibilities and authorities must be defined and communicated within the organization. Effective internal communication processes must also be established.Distinct roles in the scrum team - product owner, scrum master, contributers, and QA. Regular standup meetings, product backlog grooming, sprint review, sprint retrospective
85.6 Management reviewReview the QMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Records from management reviews must be maintained.n/a
96.1 Provision of resourcesDetermine and provide the resources needed to implement, maintain, and continually improve the QMS and enhance customer satisfaction.n/a
106.2 Human resourcesDetermine and provide the resources needed to implement, maintain, and continually improve the QMS and enhance customer satisfaction.n/a
116.3 InfrastructureDetermine, provide, and maintain the infrastructure needed to achieve conformity to product requirements.Product backlog creation, issue creation, sprint planning and retrospectives
126.4 Work environmentManage the work environment needed to achieve conformity to product requirements.n/a
137.1 Planning of product realizationPlanning and development of productProduct backlog creation, sprint planning, sprint backlog creation and user stories
147.2 Customer-related processesEnsure that requirements are captured, reviewed, and that communication about requirements, bugs, etc is an ongoing process with the customer.n/a
157.3 Design and developmentPlan and control the design and development of product. Inputs relating to product requirements shall be determined and records should be maintained. Outputs of design and development shall be in a form suitable for verification against the design and development input shall be approved prior to release. At suitable stages, systematic reviews of design and development shall be performed in accordance with planned arrangements. Verification shall be performed in accordance with planned arrangements to ensure that the design and development outputs have met the design and development input requirements. Design and development changes should be defined and records and logs should always be maintained.Sprint planning Github issues filed by developers, with descriptions and acceptance criteria, design documentation in google docs where applicable Pull requests require review, each issue tested by QA team Sprint retrospectives, quarterly security and compliance review, annual SOC 2 review Testing, automated code scanning tools, linting tools, automated tools like Inferno Issue tracking in Github, backlog grooming and sprint review
167.4 PurchasingEnsure purchased products conform to specified requirements. Evaluate and select suppliers based on their ability to meet these requirements and maintain records of evaluations and actions.n/a
177.5 Production and service provisionPlan and carry out production and service provision under controlled conditions. This includes the availability of information, suitable equipment, monitoring and measurement activities, and release and delivery processes.n/a
187.6 Control of monitoring and measuring devicesDetermine the monitoring and measurement devices needed to ensure conformity to requirements. Calibrate, verify, and maintain these devices and keep records of the results.n/a
198.1 GeneralPlan and implement the monitoring, measurement, analysis, and improvement processes needed to demonstrate conformity to product requirements and continually improve the effectiveness of the QMS.n/a
208.2 Monitoring and measurementTeam should monitor information relating to customer perception as to whether they have met customer requirements Team monitors and measures the characteristics of the built product to verify that the requirements have been metCustomer submitted issue tracking, sprint review Sprint review, stand up, sprint planning, system monitoring with alarms, logging, on-call staff
218.3 Control of non-conforming productTeam should ensure that the product which does not conform to product requirements is identified and controlled to prevent its unintended use or deliveryTesting, backlog grooming and sprint review
228.4 Analysis of dataTeam should determine, collect and analyze appropriate data to demonstrate the suitability and effectiveness of the quality management system and evaluate where continual improvement of the effectiveness of the quality management system can be madeQuarterly security and compliance review, sprint retrospective
238.5 ImprovementTeam should take action to eliminate the causes of nonconformities in order to prevent recurrence Team should determine action to eliminate the causes of potential nonconformities in order to prevent their occurrenceQuarterly security and compliance review, incident root cause analysis, sprint retrospective Quarterly security and compliance review, root cause analysis, sprint retrospective, product backlog grooming, static analysis tools